Once a process for securing assets is in place, a regularly scheduled
security audit will determine if the process is operating properly.
A security audit analyses the security of an application or group
of computers, and reviews the administrative functions going on
around the computers. This is done to ensure that security maintenance
activities outlined and mandated in the existing security plan or
process are actually being followed. Recommendations are made, as
required to help the organization improve security of its critical
systems and to maintain the security of these systems. Over time,
every security program will need updating as software and networking
Customer: A Large American Utility
Services: Security Auditing
Problem: The external auditors, required as part of their annual
report on the utility company, that the utility employ a third-party
review of the information security around process control systems.
Solution: An ESTec consultant performed vulnerability analysis for
each critical control system on-site and then interviewed administrative
personnel about security operations.
Results: While the systems in place proved not to be vulnerable
to intrusion through known holes, administrative procedures were
not state-of-the-art, as required, and certain systems did not have
adequate physical access controls or currently adequate backups.
No systems administrators were performing comprehensive log reviews,
although industry standards and internal security policies required
Results: Management was told that standards required it to increase
the number of logs, the administrative oversight of security, and
the available physical access controls. These recommendations were
followed, and the company increased administrators by 10% to enable
it to return to the original security maintenance standards it had
accepted. The result was a large increase in safety at a relatively
small increase in personnel costs. This allowed the company to meet
the demands of its auditors and the industry during the period in
question, thus avoiding penalty costs and lost income.